Fast, efficient error reconciliation for quantum cryptography 
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We describe a new error reconciliation protocol Winnow based on the exchange of parity and Ham- 
ming's "syndrome" for A'^— bit subunits of a large data set. Winnow was developed in the context 
of quantum key distribution and offers significant advantages and net higher efficiency compared to 
other widely used protocols within the quantum cryptography community. A detailed mathematical 
analysis of Winnow is presented in the context of practical implementations of quantum key dis- 
tribution; in particular, the information overhead required for secure implementation is one of the 
most important criteria in the evaluation of a particular error reconciliation protocol. The increase 
in efficiency for Winnow is due largely to the reduction in authenticated public communication 
required for its implementation. 

PACS Numbers: 03.67.Dd, 03.67.Hk 



I. INTRODUCTION 

Quantum cryptography [1] presents special problems 
in regard to error correction of noisy quantum commu- 
nications. Under the constraint that the public channel 
can be authenticated, and the assumption that all public 
communications can be eavesdropped, classical informa- 
tion on the exchanged qubits must be revealed through 
a series of public discussions to test the quantum key in- 
tegrity and to remove the errors. Discrepancies within 
the qubits, observed as errors, must be treated as having 
been introduced by a hostile eavesdropper; the eaves- 
dropper is generally referred to as Eve and labeled E in 
this work. 

In a classical environment all errors can always be re- 
moved with the condition that to remove all errors one 
may have to reveal all information. However, within the 
secrecy framework imposed by quantum key distribution 
(QKD), revealed information reduces privacy and the ef- 
fective channel capacity. Because of this great care must 
be taken to reveal a minimal amount of information to 
remove errors from quantum key while accounting for the 
leaked information to ensure key integrity after errors are 
removed. 

Within this context of QKD, the two parties that ex- 
change qubits over a quantum channel (Alice (A) and 
Bob (B) is the notation typically used within the quan- 
tum cryptography community) must have a fast and ef- 
ficient method to mend the quantum key; in addition, 
they must also reduce E's knowledge gained during pub- 
lic discussions to a vanishingly small amount. These 
constraints require that any error reconciliation protocol 
will also need supporting protocols to provide a complete 
framework for quantum cryptographic security. That 
is, a useable QKD system will comprise a quantum-key 
transmitter (A) and receiver (B), and a series of proto- 
cols to remove errors and account for and mitigate the 
information leakage attributable to E. The series of pro- 



tocols includes [2,3], but is not necessarily limited to the 
following: error-reconciliation [4,5], privacy amplification 
[6] and signature authentication [7]. 

In addition to these protocols, we acknowledge a pro- 
tocol generally formulated in [4] that we refer to as pri- 
vacy maintenance. We also note that the predecessor 
to CASCADE [5] — the best known and probably the 
most widely used error reconciliation protocol — is also 
generally formulated in [4] and is characterized by a bi- 
nary search; here we refer to the binary search, which 
is a major element of CASCADE, as BINARY. A fun- 
damental difference between BINARY and CASCADE is 
that CASCADE neglects privacy maintenance: all data 
are retained until the necessary privacy amplification is 
performed on the error-free data. We observe that the 
reconciliation process is more efficient if privacy main- 
tenance is implemented during reconciliation as will be- 
come obvious in the following discussion. 

Finally, this work introduces a new error reconciliation 
protocol that uses a Hamming code [8,9] to remove errors. 
We refer to this protocol as Winnow. Winnow is charac- 
terized by the application of a parity test, a conditional 
Hamming hash, and privacy maintenance. 



II. HAMMING ERROR DETECTION AND 
CORRECTION 

The application of the Hamming hash function for er- 
ror correction [8,9] is illustrated as follows: 

First, after A and B exchange qubits on the quantum 
channel, A and B then divide their random bits into 
blocks of length Nh — 2™ — 1. (Due to the 1:1 correla- 
tion of these data, we henceforth refer to these blocks as 
a single data- or bit-block.) The m— bit (m > 3) syn- 
dromes Sa and Sb are then calculated, where Sa and Sb 
respectively depend only on A's or B's bits in a particu- 
lar block. 



1 



Next, B transmits his syndrome to A and errors arc 
only discovered if the syndrome difference Sd {exclusive 
or of Sa with Si,) is non-zero: 



Sd = Sa®Sl,^ {0}". 



(1) 



Finally, m bits are deleted from each bit block to elim- 
inate the potential loss of privacy to E due to the (classi- 
cal) communication of B's syndromes: m bits of informa- 
tion are revealed on each block for which Si, is revealed 
reducing the channel capacity per symbol by m/Nh [10]. 

Specifically, data privacy is maintained by removal 
of m bits from each block at the {2-^} positions where 
j e {0,...,m — 1}. These bits are independent in the 
syndrome calculations as seen below in the matrix hf^™^ : 



10 10 10 1 

110 11 
1 1 1 1 



(2) 



where for this particular matrix, m = 3. We refer to the 
operation of discarding bits in this manner [4] as privacy 
maintenance. 

As a final comment on Eq. 2, note that the transpose of 
h^^^ = [h^^^] are the binary equivalent numbers 1 to 7, 
and is generalized such that [h^"''^)f = {1, . . . , (2^-1)}, 
Nh binary numbers. 

The matrix ft,^™) is a special form of hash function [11] 
and is represented by: 



^1? = 



J 



(mod 2) , 



(3) 



where i G {1, . . . , m}, and j G {1,. . . , N^}; arithmetic is 

modulo 2. 

The Hamming algorithm always corrects any single er- 
ror within any A^^-bit block, but the effect of the Ham- 
ming algorithm, which is related to the syndromes and 
privacy maintenance, is less clear in the event that more 
than one error exists in a bit block. Such considerations 
are now discussed in detail in terms of the syndromes. 

The syndromes Sa and Si, are formed by contraction 
of the Nh— hit blocks with the matrix h^™^: 



Si 




(mod 2) e {0, 1}" 



(4) 



where subscript i represents syndrome bit i in the m-bit 
binary syndrome, Xj represents bit j G A's or B's block, 
and S = {Si} is the binary syndrome value of either B's 
or A's block. Understanding the effect of the syndromes 
in locating and correcting errors is crucial to assessing 
the performance of Hamming, and thus Winnow. 

The syndrome difference (Eq. 1) defines a binary num- 
ber that gives the location of a single bit in A's or B's 
code word that when toggled from 1 or from 1 i— > 



affects the syndrome difference Sd such that when the 
syndrome difference is recalculated it gives the binary 
number S'^ = {O}'". For example, if Sd ^ {0}™, then Sd 
is an m-bit binary number whose value gives the location 
of a single bit in either A's or B's code-word to add ex- 
clusive or with the orignal bit value. After that bit value 
is changed, then the new syndrome for that code word is 
then calculated {e.g. S^) and added (again, exclusive or) 
to the original syndrome for the other code word (Sb in 
this example) . The result is that the changing of the sin- 
gle bit indicated by the non-zero syndrome difference in 
the one code-word either corrects an error, or introduces 
another, in that code word. This is no great mystery 
but rather reflects the fact that Hamming codes are n-k 
codes. In this case, n = 2™ — 1 relates the number of bits 
in each code word (Nh), and k = n~m relates the chan- 
nel capacity (the channel capacity is k/n -^^^^ k/Nh per 
bit) given the code (a Hamming code in this discussion). 

In an n-k Hamming code, there arc 2*^^ ^ imique code 
words characterized by 2™ unique syndromes; further, 
there are 2'^ code words with the same syndrome. Be- 
cause this code can correct 1 error, it has a minimum 
Hamming distance of d = 3. This also means it can de- 
tect at least 2 errors. In fact the Hamming distance d for 
the Hamming code is d = 3. 

By definition, a code word with a single error will have 
Sd ^ {0}™ (can obviously detect a single error if it can 
correct a single error). In addition, if a code word has ex- 
actly 2 errors then by definition Sd ^ {0}™ (can detect at 
least 2 errors if it can correct a single error). Therefore, 
if a code word has exactly 2 errors, then after applying 
the Hamming algorithm, and after changing the bit value 
indicated by Sd, the code word will finish with exactly 
3 errors. The proof is by contradiction: If a code word 
with 2 errors finished with 1 error (an error was cor- 
rected), then the new syndrome difference would be non- 
zero! Contradiction also proves that 1-crror is corrected 
if there is exactly 1 error: If an error was introduced the 
syndrome difference would again bo non-zero. Thus, in 
examining Hamming codes we observe that a code word 
with 1 error will finish with errors, but a code word 
with exactly 2 errors finishes with exactly 3 errors. In 
each case the new syndrome difference changes such that 
5^ = {0}'". 

By symmetry, if an Nh-h\t code word contains exactly 
A^^ — 1-errors (all the bits except one are in error), then 
after application of Hamming all the bits in the code 
word will be in error. Further, a code word that contains 
Nh — 2 errors will finish with Nh — 3 errors, i.e one of the 
errors is corrected. 

The above arguments imply that a Hamming code only 
works well if the probability of 2 or more errors is low 
relative to the liklihood of a single, or no, errors. In 
either case the Hamming code is inefficient as m-bits are 
revealed in the syndrome (this fact is discussed in detail 
later). 



The difficult question to answer in analyzing the per- 
formance of a Hamming code is how does Hamming affect 
code words with more than 2, but less than 2 



im— 1 



errors ; 



It is not obvious but the number of code words with 
3-errors and Sd = {0}™ is related to the number of ways 
2-error code words map to a code word with 3 errors 
(and Sd = {0}™). In other words, there must be a way 
to arrange 3 errors in a code word and still maintain 
Sd = {0}"*. Lacking this would mean that the code could 
always detect more than 2 errors with a Hamming dis- 
tance of d = 3. 

To complete the Hamming efficiency analysis, how 
code words with 3 or more errors are affected after ap- 
plication of Hamming must be analyzed. For 3 errors it 
is now obvious: there must be at least 2™ — 1 ways to 
start with 3 errors in an Nh-hit code word and still finish 
with 3 errors. In the case that there exist 3 errors in a 
code word, and Sd ^ {0}"*, then an error will be intro- 
duced into the A^;i-bit code word because if the code word 
finished with 2 errors then Sd 7^ {0}™ — a contradiction. 

As a special case (example), consider m = 3. There are 
(3) = 35 ways to arrange 3 errors in 7 bits. Because there 
are exactly 7 non-zero syndrome differences for m = 3 
and n, = 2, there must be at least 7 ways to arrange 
3 errors in 7-bits and have Sd = {0}™. In fact for this 
special case this is the result. What this means is that, 
statistically, 7 in 35 code words with 3-errors will finish 
with 3-errors, and 28 in 35 words with 3 errors will finish 
with 4 errors. Thus, code words that start with 3 errors 
will finish with 19/5 errors per 7-bit block, in the limit of 
an infinite number of 7-bit blocks with exactly 3 errors. 
By symmetry, it is obvious that given an infinite number 
of 7-bit blocks with exactly 4 errors, the final error rate 
per block would be 16/5 — a lower final error rate. 

Thus, what is needed is a way to calculate, for any 
number m of parity checks, in Hamming, a way to cal- 
culate the number of ways to arrange the initial number 
of errors per block and finish with Sd = {0}™, or with 
Sd 7^ {0}™. Eq. 6 permits that calculation for any ini- 
tial number of errors per block, n^, given any initial block 
size, Nhi 



-Ns.^o + Nu ■ Ns.^o = {-ir-Nn-[ J ) (5) 
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where q = \ni/2] , p = [ni/2\ , m is the initial number of 
errors per Hamming block of A^^, = 2"* — 1 bits per block; 
in this situation, Ns^^o gives the number of syndrome 
differences with Sd — {0}™, and Ns^^io gives the number 
of syndrome differences with Sd {0}™. Eq. 6 is gener- 
alized by dividing both sides by the total number of ways 



to arrange Ui errors in the bits. In this situation we 
find a more useful quantity: 



nSd=o = -jm-t^ and 



(6) 



This result is required later. 

These arguments are not obviously general for the case 
of m > 3, but they give insight into the general problem. 
The difficulty with the special case of to = 3 and Ui = 3 
is that the next case of = 4 is symmetric and comple- 
mentary with TZi — 3 J clS mentioned previously. Further, 
as was noted, there is no path to map 3 errors to 2 errors 
as Sd {O}™ when there are exactly 2 errors. However, 
Eq. 6 is the general technique to calculate the quantities 
specified, i.e. the number of ways to map rij errors to 
Sd = {0}™ or not, given iV?, = 2"* - 1 bits in a block. 

Given these facts, how the errors change for to > 4 and 
4 < rij < 2^"*"^) is the general result of interest. 

Let n^"*"^ be the number of ways to increase the number 
of errors from rii to + 1, in a bit- block, and n\ the 
number of ways to decrease the number of errors from rij 
to rij — 1; of course, the considerations relate to to > 4. 
The results are as follows: 



4-^^ = Ns,=o{Nh\ni) + {m + 1) • Ns,=o{Nh\ni + 1) 



n. 



(+) 



(7) 



where Nsj^=Q{Nh\ni + 1) is the number of ways to arrange 
Ui + l errors in Nh bits and obtain Sd = {0}™ (the reader 
will recall that earlier it was stated that the number of 
ways to get Sd = {0}™ for Ui + 1 errors is directly re- 
lated to the number of ways to map rij + 1 errors); 
of course, Nsj^=Q{Nh\ni) is the number of ways to arrange 
Ui errors in Nh bits and get Sd — {0}™. Thus, the gener- 
alized probability for the number of errors rij to increase, 
or decrease is: 



n(+) = 



,(+) 



, and 



n(-) = i-n(+). 



(8) 



III. WINNOW 

As a general rule, the ideal error correcting protocol 
would correct all bit errors in each bit block, introduce 
no additional bit errors, and reveal a minimal amount of 
information on the key bits to an eavesdropper through 
public communication. The outlined Hamming protocol 
has a number of shortcomings regarding this ideal. First, 



the difference syndrome 5*^ does not distinguish between 
single- and multiple-bit errors. Therefore, additional er- 
rors may be introduced if instances of Sd ^ {0}™ are 
treated as due to single errors. Second, up to m bits of 
information are exchanged for each data block reducing 
channel capacity per symbol with each exchange: infor- 
mation which can be compromised by eavesdropping. 

One solution is to eliminate all bits within data blocks 
for which 5^ ^ {0}"*. This certainly removes the pos- 
sibility of introducing additional bit errors into the key, 
but, unfortunately, the efficiency of such a method is low 
as every block loses either m-bits to privacy maintenance, 
or all bits because Sd 7^ {0}"*. The efficiency of this ap- 
proach is not optimal as most of the discarded bits/blocks 
for which 5^ ^ {0}™ are probably not in error. 

Another, more powerful solution is to introduce a pre- 
liminary parity comparison on a block of N = 2™ bits 
and to make a comparison of the syndromes Sa and Sb 
conditional upon the result of the parity comparison.* 

If the block parities do not agree an odd number of er- 
rors exists in the A/^-bit block. Moreover, if the bit errors 
arc distributed randomly throughout the data, and if the 
number of errors is sufficiently small, then an odd num- 
ber of errors in a block probably indicates a single error 
which can be corrected by the additional application of 
the Hamming algorithm. For example, in the situation 
that a block contains one bit error, if Sd = {0}™ then 
the first bit is in error. (By symmetry it is clear that 
if there are exactly N — 1 errors in the block the first 
bit would not be in error.) Thus, this approach always 
allows the correction of a single error in the N bits, i.e. 
if the bits are to be retained. However, in the protocol 
outlined here the one bit is regularly discarded for pri- 
vacy maintenance (for the exchanged parity bit) and the 
Hamming algorithm is applied to the remaining Nfi bits, 
as previously discussed, and then \\og2{Nh)~\ additional 
bits are discarded to complete the privacy maintenance 
giving a channel capacity of (2™ — m — l)/N per sym- 
bol on blocks that contain an initial parity error. This 
appears to be an additional loss of channel capacity, but 



* Hamming discusses the addition of a parity chock on the 
Ah = 2™ - 1 bit block [9] (pp. 47-48; pp. 213-214). His con- 
clusion is that A and B are more likely to introduce additional 
errors than correct errors by changing a bit if Sd ^ {0}"" and 
the block-parities agree. In this situation A and B could ei- 
ther remove the m + 1 bits required to ensure privacy on the 
remaining bits (which may remove errors), or they could elim- 
inate all of the bits in question, as n, e {2, 4, . . . , 2*" — 2} > 1. 
The expanded protocol described in this effort allows the 
detection of an even or odd number of errors and prevents 
a correction attempt on those data blocks with even num- 
bers of errors. This is important since the Hamming algo- 
rithm will increase the number of errors in blocks which have 
2<m< Nh/2. 



because the syndromes arc not exchanged and compared 
when the block parities agree the channel capacity ac- 
tually increases over the basic Hamming algorithm; one 
bit is still discarded from the blocks that do not exhibit 
a parity error for privacy maintenance. We refer to this 
error reconciliation protocol as Winnow. 

Winnow reveals log2 ( A^) + 1 bits in 2 classical commu- 
nications when the parities on the A" bits do not agree: 
m bits for the syndrome and 1 bit for parity; conversely. 
Winnow reveals 1 bit of information in 1 classical com- 
munication when the parities agree. ^ 

Therefore, the amount of key data discarded is 

A^dt' = log2W + l=rn + l (9) 

bits for blocks with odd numbers of errors such that the 
fraction of the bits remaining after privacy maintenance 
is 

ATodd 

„oM^^_^^ (10) 

For N € {8,16,32,64,128}, 

G {0.5, 0.69, 0.88, 0.89, 0.94}, respectively. Also, 

'"rm" = l-^' (11) 

and /z^;;^" G {0.88, 0.94, 0.97, 0.98, 0.99} for the same val- 
ues of A^. In either case, the appropriate overhead for 
the classical communications is also removed immedi- 
ately from the data so that the privacy of the bits is 
at least maintained if not improved. 

All single bit errors in an A"-block are guaranteed to 
be either eliminated or corrected after a single pass of 
Winnow (a Winnowing). What remains to be consid- 
ered is how blocks with multiple errors affect the overall 
efficiency of Winnow. 

IV. WINNOW EFFICIENCY 

Define the change in number of errors in a given block 
and for a given initial number of errors as An = rif — rii, 
where Ui and Uf = nf{ni\N) are the initial and final 
numbers of bit errors in a block prior to and after Win- 
nowing, respectively. The average change in the number 
of errors, for a given number of initial errors, after a Win- 
nowing (this step includes elimination of the parity bit 



^Exchanging the parity on N = 2"" bits instead of Nh = 
2*" — 1 bits results in slightly higher channel capacity. That is: 
more information is revealed when the syndrome information 
is combined with the parity information on a Nh bit block 
than is revealed when the parity and syndrome are revealed 
on N bits in Winnow. 



but not the final m-bits required for completion of the 
privacy maintenance step) can be expressed as 



An = (An(ni)) = ^ An-p{An\ni 



An=-2 



where 



^ p{An\n^) = 1, 



(12) 



(13) 



An= 



and p{An\ni) is the probability that the number of errors 

will change by An G {—2, —1, 0, 1} given an initial condi- 
tion of Ui errors in an A^— bit data block. The p(An\ni) 
of interest can be written more instructively as 

p(+l|ni)=7r(<n5,^o(nO-nW(nO 
p{±0\ni) = 7r(")- ns,=o {rii) ■ Hs^^o {Srii) ■ nW (Sm) 
p{-l\ni)= TT^")- Us.^o (rii) • n(-) (ni ) + TT^^) • Us,=o {Sui ) 
p(-2|n0=>^-ns,^o(5n0-n(-)(5n0, (14) 

where, rii is as previously defined, 6ni = rij — 1, tt^^^") 
depends only on the initial number of errors (n^) in 
the A^-bit block and is the probability the bit discarded 
for privacy maintenance following the parity check was 
(y), or (^) was not (n) in error; Ilsj=o{nySni) and 
IIs^^o (n^Jrij) are the probabilities that Sa = Sj, or 
Sa 7^ Sb for rii or Srii errors in Nh bits and are concretely 
defined in Eq. 7, and Il^^\n^ Srii) is defined in Eq. 8. 

Eq. 12 can be expressed in terms of tt*^^^"', Us^ and 
n(±) as 



An = (An(")('«,)) + (An(^)(ni)>, 



(15) 



where the arguments which depend on Ui have been sup- 
pressed, and 



A; 



aV^^= n^y^-Ils.MSni)- l-2-n(-)(<5ni) 



(16) 



The final quantity needed to calculate the efficiency of 
Winnow is tt^^^"^: 

^{y) _ ^ where 
N 



1. 



Table I and Table II provide a concrete example for the 
special case of m = 3 of the effects of Winnow on blocks 
with exactly n^ G {0, . . . , 8} errors. Table I, introduces a 
new quantity 



rif = (n/) =ni + An, 
and in Table II a new parameter 



(17) 



Pf = 



Nf 



(18) 



is defined. 

The parameter pf defines the probability for each bit 
in a given block to be in error. The number Nj G 
{N — 1,N — m — 1} and its value depends on the ac- 
tion required by Winnow for a given number of initial 
errors. For example. Nj = N — loiN — m — 1 for pf 
and Ui even or odd, respectively. 

These two tables illustrate the effect of Winnow on 
data which are divided into 8-bit blocks. The values 
marked with superscript p refiect the effect of discard- 
ing one bit following the parity comparison. The values 
marked with superscript ph refer to the data after the 
Hamming algorithm is also applied, but before the req- 
uisite log2(A'') = 3 bits of data are discarded for privacy 
maintenance. The final values denoted by subscript / 
reveal the effect of Winnow (including the effect of all 
discarded data required for privacy maintenance). 

The parameter pj clearly shows a reduction in errors 
for Ui = 1 and an increase in errors for n^ = 3. It also 
shows that discarding data to maintain privacy of the 
remaining key has no effect on the error probability. 

The fraction of key remaining after a Winnowing is 
given by 



(Nf) _ EZ=oNfPinm 



N 



N 



(19) 



and the probability for any key bit to be in error following 
a Winnowing is 



Pn 



{Nf) 



(20) 



where P{ni\N) is the probability for an A/'-bit block to 
contain n, errors before a Winnowing. 

Obviously, the efficiency with which Winnoiu removes 
errors depends upon the distribution of errors within the 
data. Without intimate knowledge of a specific QKD 
apparatus, a reasonable assumption is that the errors are 
random and normally distributed throughout the data. 
Given this assumption, P{ni\N) in Eq. 20 is given by 
the binomial distribution 

Pim I iV,po) = (^)po"Hi -Po)^-"* (21) 

where po is the probability that any given bit is in (rela- 
tive) error. 

With this assumption, Eqs. 19 and 20 can be expressed 

as 

jV-l-mE„o..(„>o-(l-Po)^^- 
MJV = ^7 , (22) 



N 



where m = \og2{N), and 



Pn = 



E„,^o%K)(^)po"-(i-Po)^-"- 



(23) 



The efBcicncy with which Winnow reduces errors in the 
key is of great interest. Two related issues which concern 
the efficiency are: 1) the number of iterations of Winnow 
necessary to achieve a sufficiently low probability of error 
in the remaining key data, and 2) the amount of key data 
that is discarded through privacy maintenance. 

The number of iterations is of concern because each it- 
eration reveals information and consumes time with each 
communication between A and B. Moreover, each com- 
munication requires the use of some private key for sig- 
nature authentication [7]. Most importantly, though, is 
that each iteration requires a significant amount of data 
to be discarded through privacy maintenance. 

Smaller N require more data to be discarded than 
larger A'' as can be seen from Eq. 22. However, an ef- 
fect which tends to mollify this undesirable condition is 
that smaller TV are more efficient at removing errors for 
larger values of initial error probability. This effect is 
illustrated in Fig. 1 where we have plotted pn/po for 
several values of N. For all values of N and po suffi- 
ciently small, pn/po < 1 and the protocol can remove 
errors from the key data. However, as po increases from 
Po = 0, each of the curves passes through pn/po = 1 in- 
dicating that additional errors are being introduced into 
the key. Moreover, the value of po for which pn/po = 1 
is smaller for larger N and the curves do not intersect 
between po = and Pn/po = 1- 

As a primary requirement of Winnowing real data in 
an iterative application, a random shuffling of the data 
between iterations is essential to randomly redistribute 
missed or introduced errors. Without this random shuffle 
multiple errors remain clumped together and, in essence, 
are impossible to completely remove from the data. Un- 
der this constraint it is obvious that the final error prob- 
ability, and the amount of data remaining after a number 
of Winnowings, depends on the way in which TV is varied 
throughout the successive Winnowings. An intuitive re- 
sult which we have verified empirically is that less data 
are discarded for the same initial and final error probabil- 
ities if N is chosen well for the first iteration and is either 
held constant or increased for all subsequent iterations; 
there is no advantage to decreasing N in subsequent it- 
erations if Winnow is applied as outlined here. 

Define 



and 



pipo;{jN}) 



M(po;{ijv}) 



(24) 



(25) 



as the final error rate and fraction of data remaining 
after a sequence {Jn} = {j8,ii6,i32,i64,ii28} where 
Jn iterations of Winnow are applied with a block size 



N e {8, 16, 32, 64, 128} beginning with = 8 and in- 
creasing monotonically in N by factors of 2.-'- 

Because {ps < Po) V {po < 0.5), it may appear that 
errors can be corrected in the data for this entire range 
of initial error probability. However, there is another cri- 
terion that must be met which significantly reduces the 
maximum correctable error probability: There must re- 
main a finite amount of error-free data after the potential 
information possessed by E is reduced through privacy 
amplification. 

The maximum amount of potential information pos- 
sessed by E can be determined by the initial error proba- 
bility pq and depends on the QKD protocol and the type 
of attacks being employed. For example, if the BB84 pro- 
tocol is used and E employs a complete intercept/resend 
attack on the quantum channel in the same bases used 
by B, she will introduce an error probability of po = 1/4. 
She will also potentially know 1 /2 of the data before error 
reconciliation and up to 2/3 of the data which remains 
after error reconciliation. 

If E uses a more clever intercept/resend strategy of 
detecting and resending in the Breidbart basis (second 
paper in [4]), she would introduce the same number of 
errors (po = 1/4) and could know up to a fraction of 
0.59 of the data before error reconciliation and 0.78 of 
the data remaining after error reconciliation. 

It should also be noted that certain states of light are 
more susceptible to attack than others. For example, 
consider weak coherent states which are commonly used 
in QKD systems. If E also employs a beamsplitter at- 
tack [3,4,12] against one of these systems, an additional 
amount of data is compromised which is not greater than 
the mean number of photons in the state. However, this 
value can be made arbitrarily small so it is neglected in 
the following calculations. Moreover, other states of light 
can be used in QKD schemes which are not vulnerable 
to this type of attack [13]. 

Thus, the fraction of data remaining after error recon- 
ciliation and privacy amplifications can be 



,6684 



//,- (0.59)4po 



(26) 



for BB84, where v describes the remaining fraction of 
key. 

From the above considerations, p and v can be inves- 
tigated as a function of pq . Of particular interest is the 
maximum po for which some secure data remains while 
achieving a sufficiently low final error probability to make 



■'in this work N is constrained such that A'' < 128 only for 
the sake of brevity. We have found that this constraint does 
not impose a serious limit on the ability of Winnow to correct 
errors. The ideas discussed below can be extended to include 
N > 128 in a straightforward manner. 



the data useful. We have chosen, somewhat arbitrarily, 
p < 10~^ as a reasonable target for the final error prob- 
ability. 

With this target and the remaining fraction of private 
data described by Eq. 26, we find the largest initial error 
probability for which some private data remains is 

Po = 0.1322, (27) 

after Winnowing and privacy amplification. 

To achieve p ^ 10~^ from this large initial error 
probability. Winnow must be applied in the sequence 
{jjv} = {3, 1, 0, 1, 3}. That is, 3 Winnowings with N = 8 
must be followed by 1 Winnowing with N = 16, etc. If 
this prescription is followed, 

j^bbS4 ^ 0.0017 (28) 

of the original data remain and are secure following pri- 
vacy amplification. 

Some QKD schemes require a larger estimate of E's 
knowledge. If Eq. 26 is replaced with [4] 

i^ = IJ-2V2po, (29) 

we find 

Po = 0.1222 (30) 

for {Jn} = {3,0,1,0,4}. This leaves a fraction u = 
0.0017 of the original data as secure data with a single-bit 
error probability < 10~^. 

Finally, if we estimate that E knows every bit of data 
by causing po = 1/4, then 

i/ = ^-4po- (31) 

We then find that the largest reconcilable po is 

Po = 0.1037 (32) 

for {Jn} = {2, 1, 1, 0, 3} and v = 0.0020. 

The most efficient iteration sequence {{Jn}) for any 
QKD scheme can be determined by first applying Win- 
now with A'' = 8 to estimate po- Once the number of 
blocks with odd and even (even includes zero) errors, 
Mf^ and M^"^" respectively, are known, the fraction 

# of Parity Errors _ Enf (^)Po"' " Po)^^"' 

# of Blocks ~ ' N ^ ' 

can be used to estimate pq. Knowledge of po is sufficient 
to determine the {Jn} which maximizes ly. 

For small po, the most efficient {jjv} may start with 
N > 8. However, working systems that have been re- 
ported in the literature [4,14] have large enough error 
probabilities so that the most key is left if A'^ = 8 for at 
least the first iteration. 



A detailed analysis of the advantages of Winnow over 
other protocols is beyond the scope of this work. How- 
ever, it is instructive to note the advantages over at least 
the best-known protocol CASCADE. 

The most notable difference between Winnow or BI- 
NARY and CASCADE is that CASCADE does not em- 
ploy privacy maintenance. The disadvantage of such a 
protocol is that super-redundant information must be 
exchanged with each successive iteration. This is to be 
compared with BINARY and Winnow which reduce the 
size of the data set with each communication. With the 
reasonable requirement that a bit revealed through these 
communications requires at least a bit to be eliminated 
through some channel, either before or during privacy 
amplification, then the inefficiency of keeping all bits un- 
til all errors are removed becomes obvioiis: retaining and 
repetitively exchanging information on the same bits is 
an additional expense to the protocol. 

For the purpose of comparison, we have computed 
the maximum pq which BINARY (less privacy mainte- 
nance) can successfully reconcile errors and preserve a 
small amount of secure data after privacy amplification 
and the removal of the super-redundant information. We 
find 

Po = 0.114 (34) 

for {Jn} = {2, 1, 0, 2, 1} and v''''^^ = 0.01 when (0.59)4po 
describes the additional amount of key that must be dis- 
carded through privacy amplification. This is to be com- 
pared with Po = 0.1322 for the same considerations with 
Winnow. This application of BINARY is a reasonable ap- 
proximation to CASCADE which may include a higher 
order correction giving a slightly higher overall error re- 
duction than BINARY without privacy maintenance. 

This comparison (or any of the previous discussion) 
does not take into account bits used to authenticate mes- 
sages sent between A and B. Both CASCADE and BI- 
NARY requires significantly more two-way communica- 
tion than Winnow, and each packet of n bits sent may re- 
quire [log2(n)] for authentication [7]. We calculate that 
the most efficient application of CASCADE requires a 
minimum of 1 -|- log2(iV) communications per iteration 
while Winnow requires only 2 communications for any 
block size N that exhibits a parity error; the additional 
communications required imposes a tight limitation on 
practical efficiency. In addition, because CASCADE does 
not maintain privacy, subsequent iterations requires more 
bits to be exchanged in the initial parity phase with each 
iteration. The additional bit exchanges may require ad- 
ditional signature authentication bits. 

We acknowledge that because CASCADE and BI- 
NARY always removes a single error and never introduces 
additional errors to multiple error blocks, both BINARY 
and CASCADE perform infinitesimally better than Win- 
now in an environment where signature authentication is 



not required and privacy maintenance is removed from 
the Winnow and BINARY protocols. However, Win- 
now 's 2 communications is a great advantage where time 
is of the essence with regard to production of secure key 
bits over inefficient noisy quantum channels. 

V. CONCLUSION 

We have identified a new, fast, efficient, error recon- 
ciliation protocol for quantum key distribution which re- 
quires only 2 communications between the two parties 
attempting to reconcile private, quantum key material. 
We refer to this protocol as Winnow. 

Winnow incorporates a preliminary parity comparison 
on blocks whose size is iV = 2™ where m G {3, 4, 5, 6, ...}. 
Subsequently, one bit is discarded from these blocks to 
maintain the privacy of the remaining bits. A Hamming 
hash fimction, which can be used to correct single errors, 
is applied to the remaining N—1 bits on the blocks whose 
parities did not agree. Finally, m bits are discarded from 
the blocks on which the Hamming algorithm was applied 
to maintain the privacy of those bits. 

We find this protocol capable of correcting an initial 
error probability of up to 13.22% in privacy amplified 
BB84-like quantum key distribution schemes. 
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FIG. 1. The ratio pjv/po for N = 8, 16 and 32. These 
curves illustrate the change in the probability that a given 
bit is in error after a single application of Winnow for the 
indicated block size N. Note that {ps < pie) V {po < 0.38); 
in addition, (pie < P32) V (po < 0.20). This indicates that 
a pplications of Wtnnow with smaller A'' are more efficient at 
removing errors than are applications with larger A'^ within 
the region where po satisfies these conditions. 



TABLE I. fi/ for N = S for various stages in Winnow (note 
that Hamming is not applied to blocks that contain an even 
number of errors). 








1 


2 


3 


4 


5 


6 


7 


8 







0.88 


1.75 


2.63 


3.5 


4.38 


5.25 


6.13 


7 


— p/i 








1.75 


3.5 


3.5 


3.5 


5.25 


7 


7 


Uf 








1.75 


2.0 


3.5 


2.0 


5.25 


4 


7 



TABLE IL fif/Nf for N = 8 for various stages in Winnow 
(note that the Hamming component of Winnow is not applied 
to blocks that contain an even number of errors). 
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